Network World

Security Strategies Alert

Mich Kabay takes a high-level view of security issues and provides resources to help safeguard your corporate and personal security.

Search Security Strategies Alert Security news and resources from Network World.

Detailing contingency planning: 11/09/09; Despite the inclusion of "for Federal Information Systems" in the title, SP 800-34 Rev 1 has a great deal of value for all information assurance and business continuity specialists.
SP 800-53 is essential for security in federal government IT systems: 11/04/09; SP 800-53 (Appendix H) provides two-way mappings between security controls defined in SP 800-53 and security controls defined in international security standard ISO/IEC 27001, Information Security Management Systems
Extensive Catalog Provides Security Controls for Contemporary Security Requirements: 11/02/09; In the current Revision 3 update of SP 800-53 there are over 200 security controls for protecting information and information systems.
NIST SP800-53 Rev. 3: Risk Management Framework Underpins the Security Life Cycle: 10/28/09; SP 800-39 also provides guidance for managing risk associated with the development, implementation, operation, and use of information systems.
NIST SP800-53 Rev. 3: Key to Unified Security Across Federal Government and Private Sectors: 10/26/09; Standards play a critical role in information assurance. Given the impossibility of defining a deterministic model that includes billions of users, millions of computers, and thousands of programs and protocols potentially interacting with each other unpredictably, we have to rely on human consensus about best practices if we are to progress in our field. Standards also provide a basis for demonstrating due care and diligence in fulfilling our fiduciary responsibilities to stakeholders.
Understanding and implementing information security metrics: 10/21/09; One of the cornerstones of the scientific method is measurability: a focus on defining the ways of counting or measuring aspects of reality that we hope will be strongly associated with the phenomena we are trying to understand.
Hiring hackers: A rebuttal (part 2): 10/19/09; The original articles on hiring hackers and criminal hackers into IT groups as programmers, network administrators and security personnel did not discuss the merits or the consideration of hiring a bona fide hacker.
Hiring hackers: A Rebuttal (part 1): 10/14/09; Reader (and Norwich University MSIA graduate) Paul O'Neil disagrees with my suggestions in the recent two-part article "Hiring Hackers" published in this column. He has written a thoughtful and constructive rebuttal which has made me think critically about my position even though I disagree with him; I hope his two-part analysis will stimulate further discussion. Everything that follows is O'Neil's work with minor edits.
Data-theft trojans and the changing face of the Web: 10/12/09; In 2004, Russell Beale of the University of Birmingham penned an interesting article discussing the social changes taking place on the Web. In his summation, Professor Beale noted, "We have split the Web atom – previously atomic units were Web pages – once you'd got them you could analyze them into text and graphics, but you generally dealt in whole pages. Now our atomic unit is much smaller – we can construct things out of fragments of pages. And this makes a second difference – consumers can look only at what they want."
The Norm Coleman Web crash and full disclosure: 10/07/09; In the first of this three-part series, Becki True, CISSP and I recounted the story of the breach of security of the colemanforsenate.com Web site. This second column is also the product of close collaboration between True and myself.
The Norm Coleman Web crash and full disclosure: 10/05/09; How do we make ethical decisions? It is surely not by announcing preferences as if we were choosing a flavor of ice cream. There are guidelines we can follow in making ethical decisions, as Professor John Orlando, PhD described in an earlier series in this column in 2007 on social engineering in penetration testing.
Applying the science of persuasion to security awareness: 09/30/09; Do you ever wonder whether all those security-awareness posters, coffee mugs, pens, mouse pads, and sandwich-bag clips are having any effect at all to improve security?
The IA Professional's Toolkit Part 7: 09/28/09; In this, the final segment of security consultant Gordon Merrill's series on fundamental management tools for IA professionals in general and IA security consultants in particular, we look at how to handle problems wisely.
The IA Professional's Toolkit Part 6: 09/23/09; As an information assurance (IA) consultant and as an in-house IA professional, you are a vendor to your client or your employer. How you handle vendors during a consulting project or in your day-to-day work can affect the success of your security project.
The IA Professional's Toolkit Part 5: 09/21/09; Organizations should always be looking for ways to minimize their exposure to legal entanglements. No one wants to be sued, to be subject to regulatory sanctions or to become involved in criminal prosecutions. As an information assurance (IA) professional, you will consistently be called on to ensure that your employers or your clients are compliant with all relevant regulations; you may be asked to verify such compliance as part of your job and in collaboration with or as principal in audit procedures that protect the organization by demonstrating due diligence in the exercise of fiduciary responsibility.
The IA Professional's Toolkit Part 4: 09/16/09; A common comment from engineering and technical personnel is that if we can't measure something, we can't manage it effectively.
The IA Professional's Toolkit Part 3: 09/14/09; Tightening financial constraints on any business are requiring information technology (IT) and information assurance (IA) professionals to start showing proof of benefit and cost justifications for their departments, their workforce, their capital expenditures, and their consultants. In an interview, one CISO told me that a consultant or employee has to provide good financial figures, cost justifications, and achievable metrics so she can back up her requests to the Board of Directors for approval and funding; she won't hire any consultant who fails to provide such details.
The IA Professional's Toolkit Part 2: 09/09/09; Nothing will delay a project more than people who just cannot get along. As an information assurance (IA) professional, whether you're an employee or a consultant, you may have to become the subject-matter expert (SME) of teamwork to keep the project on track and on course with your contract. You will have to foster good working relationships with all team members and help to smooth out the rough places.
The IA Professional's Toolkit Part 1: 09/07/09; Starting from a sound technical foundation, information assurance (IA) professionals must hone their management skills. IA experts need to be competent in project management, team building, business justification, defining usable metrics, creating security frameworks, applying regulatory knowledge, managing client/vendor relations and managing problems. This series of articles on the Information Assurance Professional's Toolkit reviews what C-level executives want to see in their IA employees and IA consultants.
Pseudonymous critic impugns integrity of all security professionals: 09/02/09; In a recent response to an article on hiring hackers, a pseudonymous critic calling itself "Secure network..." posted a comment entitled "so called hacking and security professionals." It started with the run-on sentence, "Of course someone calling them selves[sic] a ‘security Professional’ would be upset, it's job security they're losing...."
Identity Theft Resource Center Part 2: 08/31/09; Today I'm pointing to the report entitled, "Identity Theft: The Aftermath 2008." The PDF is 43 pages long and has a great deal of useful data for researchers and information assurance (IA) professionals.
Identity theft resource center: 08/26/09; Identity theft (IDT) continues to grow in the US and the world as electronic personally identifiable information (PII) about all of us increases in volume and dispersion. The Identity Theft Resource Center® (ITRC) provides excellent resources to help information assurance (IA) professionals and the public keep informed about current IDT developments and countermeasures.
IA Policies Part 2: 08/24/09; How do we resolve the issue of acknowledging (to ourselves) that some of our information assurance (IA) policies cannot, or should not, be strictly enforced, while at the same time conveying to staff the importance of always following IA policies?
IA policies (part 1): 08/19/09; How do we resolve the issue of acknowledging (to ourselves) that some of our information assurance (IA) policies cannot, or should not, be strictly enforced, while at the same time conveying to staff the importance of always following IA policies?
Hiring hackers (part 2): 08/17/09; This is the second of a two-part series on hiring hackers and criminal hackers into information technology (IT) groups as programmers, network administrators and security personnel.